RealNetworks Support: Security Patch Update For Realplayer Enterprise

	Customer Support Home
RealPlayer Support
RealArcade Support
Helix Support
International Support
Firewall Support

Security Patch Update For Realplayer Enterprise

Updated June 23, 2005

RealNetworks, Inc. has addressed recently discovered security vulnerabilities that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine. RealNetworks has received no reports of machines compromised as a result of the now-remedied vulnerabilities. RealNetworks takes all security vulnerabilities very seriously.

The specific exploits were:

Exploit 1: To fashion a malicious MP3 file RAM file to allow the overwriting of a local file or execution of an ActiveX control on a customer's machine.
Exploit 2: To fashion a malicious RealMedia file which uses RealText to cause a heap overflow which could allow an attacker to execute arbitrary code on a customer's machine.
Exploit 3: To fashion a malicious AVI file to cause a buffer overflow which could have allowed an attacker to execute arbitrary code on a customer's machine.
Exploit 4: Using default settings of earlier Internet Explorer browsers, a malicious website could cause a local HTML file to be created and then trigger an RM file to play which would then reference this local HTML file.

Impacted Products and Versions:
This affects versions 1.1, 1.2, 1.5, 1.6 and 1.7 of RealPlayer Enterprise (standalone and as configured by the RealPlayer Enterprise Manager).

Workaround
To ensure that your Player is protected, we recommend installing the available updates.

UPDATES

Windows Players:

RealPlayer Enterprise Solution:
Updated .DLL that addresses security vulnerability in previously installed RPEM / RDM:

rtff3260.dll
vidp3260.dll
rcap3260.dll
chia3260.dll

Copy these files into the \Program Files\Common\Real\Common directory of an existing RPEM/RDM install.

You PAM site will contain a complete / updated copy of RPEM / RDM.

Acknowledgements:

RealNetworks would like to acknowledge John Heasman of NGS Software, iDEFENSE Labs, and eEye Digital Security for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.

WARRANTY:

While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.